Backdoor:Win32/Hackdef.E

Checks for the presence of configuration code that it recognizes. The code contains parameters for changing settings on the target computer. The code can be contained in a .ini or .dll file, or in the Trojan code itself. Settings in the configuration code determine rootkit operations such as:

Creates mailslots on the infected computer that function as backdoors to exchange commands and information with attackers. The rootkit first creates a default mailslot to receive requests from attackers. For each attacker, it creates a separate, private mailslot and notifies the attacker of the mailslot name. The attacker can then send commands through the private mailslot to control the functionality of the rootkit on the target computer. For example, the attacker may refresh the configuration file on the infected computer.

Creates a mapping object in memory to store original data from Windows system APIs.

Checks for the presence of a driver that it needs to run custom code in kernel mode.

Creates the driver if it does not already exist.

Saves the driver to a file, so that the driver runs whenever Windows starts.

Starts the driver. The driver duplicates process tokens to obtain process-related information so that the rootkit can alter functionality of those processes as they run from memory.

Creates new registry keys. For example, it creates a registry key to run the driver whenever Windows restarts.